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This listing of claims will replace all prior versions, and listings, of claims in the application: 

1. (Currently Amended) A method for controlling subscriber access in a network capable of 
establishing connections with a plurality of domains, comprising: 

receivin g, at an access server coupled to a first communication network and a second 
communication network, a communication fi-om a subscriber on said using a first 
communication network coupl e d to at l e ast on e other communication n e twork , said 
communication optionally including a domain identifier associated with a domain on 
said at l e ast on e other second communication network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said communication; and 

authorizing subscriber access to said domain on said second communication network when 
said domain identifier is included in said list. 

2. (Original) The method of claim 1, further comprising terminating said communication when 
said domain identifier is not included in said list. 

3. (Original) The method of claim 1 wherein said communication comprises a Point-to-Point 
Protocol (PPP) session. 

4. (Original) The method of claim 3 wherein 
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said PPP session comprises a tunneling session; 
said determining further comprises assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

(Original) The method of claim 4 wherein said tunneling session comprises an L2TP 
session. 

(Original) The method of claim 5 wherein said determining further comprises: 
issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain list; 
indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ED request including said domain name when said domain name is 

authorized; and 
receiving a tunnel ID. 

(Original) The method of claim 6 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

(Original) The method of claim 6 wherein said virtual circuit identifier comprises a 
VPIA^CI identifier. 
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9. (Original) The method of claim 5 wherein said determining further comprises: 

issuing a tunnel ID request including said domain name and a virtual circuit identifier; and 
receiving a tunnel ID. 

10. (Original) The method of claim 9 wherein an AAA server services said tunnel JD request. 

11. (Original) The method of claim 9 wherein said virtual circuit identifier comprises a 
VPI/VCI identifier. 

12. (Original) The method of claim 5 wherein said determining further comprises: 
performing a table lookup based on a virtual circuit identifier to obtain an authorized domain 

list that includes authorized domains far said virtual circuit identifier; 
indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 

indicating said domain is authorized when said domain name is in said authorized domain 
list; and 

performing a table lookup based on said domain name to obtain a tunnel ID when said 
domain name is authorized. 

13. (Original) The method of claim 12 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

4 of 29 



CISCO-3096 (032590-000118) 

14. (Currently Amended) A program storage device readable by a machine, embodying a 

program of instructions executable by the machine to perform a method to control subscriber 
access in a network capable of estabUshing connections with a plurahty of domains, the 
method comprising: 

receivin g, at an access server coupled to a first commimication network and a second 
communication network, a communication from a subscriber on said using a first 
commimication network coupl e d to at l e ast on e oth e r communication n e twork , said 
communication optionally including a domain identifier associated with a domain on 
said at l e ast on e oth e r second communication network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said communication; and 

authorizing subscriber access to said domain on said second communication network when 
said domain identifier is included in said list. 

15. (Original) The program storage device of claim 14, fiirther comprising terminating said 
communication when said domain identifier is not included in said list. 

16. (Original) The program storage device of claim 14 wherein said communication comprises a 
Point-to-Point Protocol (PPP) session. 

17. (Original) The program storage device of claim 16 wherein 
said PPP session comprises a timneling session; 
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said determining further comprises assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

18. (Original) The program storage device of claim 17 wherein said tunneling session comprises 
an L2TP session. 

19. (Original) The program storage device of claim 18 wherein said determining further 
comprises: 

issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain list; 
indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; and 
receiving a turmel ID. 

20. (Original) The program storage device of claim 19 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ED request. 

21. (Original) The program storage device of claim 19 wherein said virtual circuit identifier 
comprises a VPWCI identifier. 
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22. (Original) The program storage device of claim 18 wherein said determining further 
comprises: 

issuing a tunnel ID request including said domain nanie and a virtual circuit identifier; and 
receiving a tunnel ID. 

23. (Original) The program storage device of claim 22 wherein an AAA server services said 
tunnel ID request. 

24. (Original) The program storage device of claim 22 wherein said virtual circuit identifier 
comprises a VP WCI identifier. 

25. (Original) The program storage device of claim 18 wherein said determining fiuther 
comprises: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized domain 
list that includes authorized domains for said virtual circuit identifier; 

indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 

indicating said domain is authorized when said domain name is in said authorized domain 
list; and 

performing a table lookup based on said domain name to obtain a tunnel ID when said 
domain name is authorized. 
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26. (Original) The program storage device of claim 25 wherein said virtual circuit identifier 

comprises a VPWCI identifier. 

27. (Currently Amended) An apparatus for controlling subscriber access in a network capable of 
establishing connections with a plurality of domains, the apparatus comprising: 

means for receivin g, at an access server coupled to a first commimication network and a 
second communication network, a communication firom a subscriber on said using a 
first communication network coupl e d to at l e ast on e oth e r communication n e twork , said 
communication optionally including a domain identifier associated with a domain on 
said at l e ast on e oth e r second communication network; 

means for determining whether said subscriber is authorized to access said domain based 
upon said domain identifier and a list of authorized domains for a virtual circuit used to 
receive said communication; mid 

means for authorizing subscriber access to said domain on said second conmiimication 
network when said domain identifier is included in said list. 

28. (Original) The apparatus of claim 27, fiirther comprising means for terminating said 
communication when said domain identifier is not included in said list. 

29. (Original) The apparatus of claim 27 wherein said communication comprises a Point-to- 
Point Protocol (PPP) session. 

30. (Original) The apparatus of claim 29 wherein 
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said PPP session comprises a tunneling session; 

said determining further comprises means for assigning a tunnel ID; and 
said PPP session is forwarded onto a tunnel associated with said tunnel ID when said 
subscriber is authorized to access said domain. 

31. (Original) The apparatus of claim 30 wherein said tunneling session comprises an L2TP 
session. 

32. (Previously Presented) The apparatus of claim 31 wherein said determining further 
comprises: 

means for issuing an authorized domain list request including a virtual circuit identifier; 
means for receiving an authorized domain list that includes authorized domains for said 
identifier; 

means for indicating said domain is unauthorized when said doma;in name is not in said 
domain list; 

means for indicating said domain is authorized when said domain name is in said domain 
list; 

means for issuing a tuimel ID request including said domain name when said domain name 

is authorized; and 
means for receiving a tunnel ID. 

33. (Original) The apparatus of claim 32 wherein 

said authorized domain list request is serviced by an AAA server; and 
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an AAA server services said tunnel ID request. 

34. (Original) The apparatus of claim 32 wherein said virtual circuit identifier comprises a 
WVyvCl identifier. 

35. (Original) The apparatus of claim 31 wherein said determining fiirther comprises: 
means for issuing a tunnel ID request including said domain name and a virtual circuit 

identifier; and 
means for receiving a tunnel ID. 

36. (Original) The apparatus of claim 35 wherein an AAA server services said tunnel ED 
request. 

37. (Original) The apparatus of claim 35 wherein said virtual circuit identifier comprises a 
VPWCI identifier. 

38. (Original) The apparatus of claim 31 wherein said determining fiirther comprises: 
means for performing a table lookup based on a virtual circuit identifier to obtain an 

authorized domain list that includes authorized domains for said virtual circuit 
identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 
authorized domain list; 
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means for indicating said domain is authorized when said domain name is in said authorized 

domain list; and 

means for performing a table lookup based on said domain name to obtain a tunnel ID when 
said domain name is authorized. 

39. (Original) The apparatus of claim 38 wherein said virtual circuit identifier comprises a 
VP WCI identifier. 

40. (Original) An access server capable of forcing subscribers of a communications system to 
gain access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

an authorized domain list request generator capable of generating an authorized domain list 
request including a virtual circuit identifier associated with a virtual circuit used to 
accept a PPP session authentication request,, said PPP session authentication request 
including a domain identifier; 

an assessor capable of determining whether said domain identifier is in said domain list; 

a tunnel TD request generator capable of generating a tunnel ID* request including said 
domain identifier; and 

an authorizer capable of granting users domain access based upon said authorized domain 
hst. 

41. (Original) The access server of claim 40, further comprising: 

a first receiving interface capable of accepting said PPP session authentication request; 

11 of 29 

SV ^r217383 vi. 



CISCO-3096 (032590-0001 18) 
a first forwarding interface capable of sending said authorized domain list request to an 

AAA server; 

a second receiving interface capable of accepting a requested authorized domain list; a 
second forwarding interface capable of sending said tunnel ID request to an AAA 
server; 

a third receiving interface capable of accepting a requested tunnel ID; and 
a third forwarding interface capable of forwarding said PPP session on a tunneUng session 
associated with said tunnel ID. 

42. (Original) The access server of claim 40 wherein said tunneling session comprises an L2TP 
session. 

43. (Original) The access server of claim 42 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 

44. (Original) The access server of claim 43 wherein said first receiving interface comprises at 
least one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular subscriber 
virtual circuit. 

45. (Original) The access server of claim 41 wherein said AAA server and said access server 
conmumicate using the Remote Authorization Dial-In User Service (RADIUS) protocol. 
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46. (Original) An access server capable of forcing subscribers of a communications system to 

gain access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

a tunnel ID request generator capable of generating a tunnel ID request, said tunnel ED 
request including a virtual circuit identifier associated with a virtual circuit used to 
accept a PPP authentication request; and 

an authorizer capable of granting users domain access based upon a list of authorized 
domains for said virtual circuit. 

47. (Original) The access server of claim 46, further comprising: 

a first receiving interface capable of accepting said PPP session authentication request, said 
PPP session authentication request including a domain identifier; 

a first forwarding interface capable of sending said tunnel ID request to an AAA server; 

a second receiving interface capable of accepting a requested tunnel ID; and 

a second forwarding interface capable of forwarding said PPP session on a tunneling session 
associated with said tunnel ID. 

48. (Original) The access server of claim 47 wherein said tunneling session comprises an L2TP 
session. 

49. (Original) The access server of claim 48 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI), 
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50. (Original) The access server of claim 46 wherein said first receiving interface comprises at 

least one access multiplexer, each access multiplexer having a pluraUty of inputs for 
receiving a service request, each of said inputs being associated with a particular subscriber 
virtual circuit. 

51. (Original) The access server of claim 47 wherein said AAA server and said access server 
communicate using the Remote Authorization Dial-In User Service (RADIUS) protocol. 

52. (Original) An access server capable of forcing subscribers of a communications system to 
gain access exclusively to a domain network associated with a virtual circuit, said access 
server comprising: 

a memory device capable of storing a domain list table and a tunnel ED table, said domain 
list table including a plurality of virtual circuit identifiers and associated domain 
identifiers, said tunnel ID table including a plurality of domain names and associated 
tunnel IDs; 

an authorized domain list determiner capable of determining an authorized domain list based 
upon said domain list table and a domain identifier within a PPP authentication request, 
said PPP authentication request received on a virtual circuit having a virtual circuit 
identifier; 

an assessor capable of determining whether said domain identifier is in said domain Ust; 
a tunnel ID determiner capable of determining a tunnel ID based upon said tunnel ID table 
and said domain identifier; and 
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an authorizer capable of granting subscribers domain access based upon said authorized 

domain list. 

53. (Previously Presented) The access server of claim 52, further comprising: 

a receiving interface capable of accepting said PPP session authentication request; and 
a forwarding interface capable of forwarding said PPP session on a tunneling session 
associated with said tunnel ID. 

54. (Original) The access server of claim 53 wherein said tunneling session comprises an L2TP 
session. 

55. (Original) The access server of claim 54 wherein said virtual circuit identifier comprises a 
Virtual Path Identifier (VPI) / Virtual Channel Identifier (VCI). 

56. (Original) The access server of claim 52 wherein said first receiving interface comprises at 
least one access multiplexer, each access multiplexer having a plurality of inputs for 
receiving a service request, each of said inputs being associated with a particular subscriber 
virtual circuit. 

57. (Previously Presented) A method for controlling subscriber access in a network capable of 
establishing connections with a plurality of domains, comprising: 

receiving an L2TP session fi'om a subscriber using a first commimication network coupled to 
at least one other communication network, said L2TP session optionally including a 
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domain identifier associated with a domain on said at least one other communication 

network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain 
Ust; 

indicating said domain is authorized when said domain name is in said domain list; 
issuing a timnel ID request including said domain name when said domain name is 

authorized; 
receiving a tunnel ID; and 
assigning said tunnel ID; and 
authorizing subscriber access to said domain when said domain identifier is included in said 
list, wherein said L2TP session is forwarded onto a tunnel associated with said tunnel 
ID when said subscriber is authorized to access said domain. 

58. (Previously Presented) The method of claim 57 wherein 

said authorized domain list request is serviced by an AAA server; and 
an AAA server services said ttmnel ID request. 
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59. (Previously Presented) The method of claim 57 wherein said virtual circuit identifier 

comprises a VP WCI identifier. 

60. (Previously Presented) A method for controlling subscriber access in a network capable of 
establishing connections with a plurahty of domains, comprising: 

receiving an L2TP session fi-om a subscriber using a first communication network coupled to 
at least one other communication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a Ust of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized 
domain list that includes authorized domains far said virtual circuit identifier; 

indicating said domain is unauthorized when said domain name is not in said authorized 
domain list; 

indicating said domain is authorized when said domain name is in said authorized 
domain list; 

performing a table lookup based on said domain name to obtain a tunnel ED when said 
domain name is authorized; and 
assigning said tunnel ID; and 
authorizing subscriber access to said domain when said domain identifier is included in said 
list, wherein said L2TP session is forwarded onto a timnel associated with said timnel 
JD when said subscriber is authorized to access said domain. 
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61. (Previously Presented) The method of claim 60 wherein said virtual circuit identifier 
comprises a VPWCI identifier. 

62. (Previously Presented) A program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform a method to control subscriber 
access in a network capable of establishing connections with a pluraUty of domains, the 
method comprising: 

receiving an L2TP session firom a subscriber using a first communication network coupled to 
at least one other commxmication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

issuing an authorized domain list request including a virtual circuit identifier; 
receiving an authorized domain list that includes authorized domains for said identifier; 
indicating said domain is unauthorized when said domain name is not in said domain 
Ust; 

indicating said domain is authorized when said domain name is in said domain list; 
issuing a tunnel ID request including said domain name when said domain name is 

authorized; 
receiving a txmnel ID; and 
assigning said tunnel ID; and 
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authorizing subscriber access to said domain when said domain identifier is included in said 

Hst, wherein said L2TP session is forwarded onto a timnel associated with said timnel 

JD when said subscriber is authorized to access said domain. 

63. (Currently Amended) The m e thod program storage device of claim 62 wherein 
said authorized domain list request is serviced by an AAA server; and 

an AAA server services said tunnel ID request. 

64. (Currently Amended) The m e thod program storage device of claim 62 wherein said virtual 
circuit identifier comprises a VP WCI identifier. 

65. (Previously Presented) A program storage device readable by a machine, embodying a 
program of instructions executable by the machine to perform a method to control subscriber 
access in a network capable of establishing connections with a plurality of domains, the 
method comprising: 

receiving an L2TP session from a subscriber using a first communication network coupled to 
at least one other communication network, said L2TP session optionally including a 
domain identifier associated with a domain on said at least one other communication 
network; 

determining whether said subscriber is authorized to access said domain based upon said 
domain identifier and a list of authorized domains for a virtual circuit used to receive 
said L2TP session, said determining comprising: 

performing a table lookup based on a virtual circuit identifier to obtain an authorized 
domain list that includes authorized domains far said virtual circuit identifier; 
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indicating said domain is unauthorized when said domain name is not in said authorized 

domain list; 

indicating said domain is authorized when said domain name is in said authorized 
domain Hst; 

perfomiing a table lookup based on said domain name to obtain a tunnel ID when said 
domain name is authorized; and 
assigning said txmnel ID; and 
authorizing subscriber access to said domain when said domain identifier is included in said 
list, wherein said L2TP session is forwarded onto a tunnel associated with said timnel 
ID when said subscriber is authorized to access said domain. 

66. (Currently Amended) The m e thod program storage device of claim 65 wherein said virtual 
circuit identifier comprises a VP WCI identifier. 

67. (Previously Presented) An apparatus for controlling subscriber access in a network capable 
of establishing connections with a plurality of domains, comprising: 

means for receiving an L2TP session from a subscriber using a first communication network 
coupled to at least one other communication network, said L2TP session optionally 
including a domain identifier associated with a domain on said at least one other 
communication network; 

means for determining whether said subscriber is authorized to access said domain based 
upon said domain identifier and a list of authorized domains for a virtual circuit used to 
receive said L2TP session, said means for determining comprising: 
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means for issuing an authorized domain list request including a virtual circuit identifier; 

means for receiving an authorized domain list that includes authorized domains for said 

identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 
domain Ust; 

means for indicating said domain is authorized when said domain name is in said 
domain list; 

means for issuing a tunnel ID request including said domain name when said domain 

name is authorized; 
means for receiving a timnel ID; and 
means for assigning said tunnel ID; and 
means for authorizing subscriber access to said domain when said domain identifier is 
included in said Ust, wherein said L2TP session is forwarded onto a txmnel associated 
with said tunnel ID when said subscriber is authorized to access said domain. 

68. (Currently Amended) The m e thod apparatus of claim 67 wherein 
said authorized domain list request is serviced by an AAA server; and 
an AAA server services said tunnel ID request. 

69. (Currently Amended) The m e thod a pparatus of claim 67 wherein said virtual circuit 
identifier comprises a VP WCI identifier. 

70. (Previously Presented) An apparatus for controlling subscriber access in a network capable 
of establishing connections with a plurality of domains, comprising: 
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means for receiving an L2TP session from a subscriber using a first commimication network 

coupled to at least one other communication network, said L2TP session optionally 

including a domain identifier associated with a domain on said at least one other 

communication network; 

means for determining whether said subscriber is authorized to access said domain based 

upon said domain identifier and a list of authorized domains for a virtual circuit used to 

receive said L2TP session, said means for determining comprising: 

means for performing a table lookup based on a virtual circuit identifier to obtain an 

authorized domain list that includes authorized domains far said virtual circuit 

identifier; 

means for indicating said domain is unauthorized when said domain name is not in said 

authorized domain list; 
means for indicating said domain is authorized when said domain name is in said 

authorized domain list; 
means for performing a table lookup based on said domain name to obtain a tunnel ED 

when said domain name is authorized; and 

assigning said tunnel ID; and 
means for authorizing subscriber access to said domain when said domain identifier is 
included in said list, wherein said L2TP session is forwarded onto a tunnel associated 
with said tunnel ID when said subscriber is authorized to access said domain. 

71 . (Currently Amended) The m e thod a pparatus of claim 70 wherein said virtual circuit 
identifier comprises a VPWCI identifier. 
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